On Jun 8, 2012, at 12:26 PM, Stephane Bortzmeyer wrote: > On Fri, Jun 08, 2012 at 03:09:04PM -0400, > Joe Maimon <jmai...@ttec.com> wrote > a message of 7 lines which said: > >> Is there any publicly available rate limiting for BIND? > > Not as far as I know. I'm not sure it would be a good idea. BIND is > feature-rich enough. > >> How about host-based IDS that can be used to trigger rtbh or iptables? > > What I do (I manage a small and experimental open resolver) is to use > iptables this way (porting it to IPv6 is left as an exercice): > > iptables -A INPUT -p udp --dport 53 -m hashlimit \ > --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ > --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP >
IPv6 should be a simple matter of putting the same line in your ip6tables file. Owen
